df9p34 network concepts adv without exam

7/31/2019 DF9P34 Network Concepts Adv Without Exam

1/149

DF9P 34

Network Concepts

Advanced

June 2005


2/149

Network Concepts: Advanced COLEG

COLEG/SQA

AcknowledgementsMicrosoft and Windows are registered trademarks of the Microsoft Corporation.Screenshots are reproduced by permission of Microsoft Corporation

COLEG/SQA Version 1 DF9P 342

Colleges Open Learning Exchange Group (COLEG) and the Scottish Qualifications Authority Material developed by Cardonald College.No part of this publication may be reproduced without the prior written consent of COLEG andSQA.


3/149


4/149


5/149


Introduction to the unit

What this unit is aboutThis unit is designed to introduce you to the issues involved in installing and supportingcomputer networks, internal and external to an organisation. It is intended for candidatesundertaking an HNC/D in computing, computer networking or a related area who require abroad knowledge of computer networks.

In the first section you will learn about network media and topologies, including logical andphysical topologies (star, hierarchical, bus, mesh, ring and wireless) and the feature oftechnologies such as LLC, Ethernet, token ring, wireless and FDDI. You will also learnabout Ethernet characteristics, media types and connectors and network components suchas hubs, switches, routers, bridges, gateways, CSU/DSU, interface cards, ISDN adapters,system area network cards, wireless access points, modems.

In the second section you will learn about network protocols, including TCP/IP, IPX/SPXand NetBEUI, the seven layers of the OSI Reference Model, network services, WANtechnologies, network security and remote access.

In the third section you will learn how to implement local area networks, includinganalysing client requirements and specifying appropriate solutions. You will learn aboutserver operating systems, client workstations, VLANs, network storage, fault tolerance,disaster recovery, security and network settings.

In the final section you will learn how to provide network support, including troubleshootingnetwork problems, configuring servers and carrying out hardware implementation tasks.

Please note: The first two study sections are contained in the companion volume for this

unit entitled: DF9P 34 Network Concepts: Introduction. Study sections 3 and 4 arecontained in this book.

Outcomes

On completion of this unit you should be able to:

1. Describe network media and topologies.

2. Describe network protocols and standards.

3. Implement local area networks.

4. Provide network support.



6/149


Unit structure

This unit contains four study sections. You will need two books to cover the whole unit.

Study sections 1 and 2 are contained in the companion volume for this unit entitled: DF9P34 Network Concepts: Introduction. Study sections 3 and 4 are contained in this book.

Section number and titleApproximate

studytime(hours)

1 Network media and topologies 16

2 Network protocols and standards 16

3 Implementing local area networks 24

4 Providing network support 24

How to use these learning materials

This teaching pack contains all the theory required to achieve the unit. There are a numberof self assessment questions (SAQs) that assess your knowledge and understanding ofthe various topics. There are also a number of practical activities that get to you carry out aparticular practical piece of work.

Symbols used in this unit

These learning materials allow you to work on your own with tutor support. As you workthrough the course, you will encounter a series of symbols, which indicate that somethingfollows that youre expected to do. You will notice that as you work through the studysections you will be asked to undertake a series of SAQs, activities and tutor assignments.

An explanation of the symbols used to identify these is given below.

Self assessed question

This symbol is used to indicate an SAQ. Most commonly, SAQs are used to check your

understanding of the material that has already been covered in the sections.This type of assessment is self contained; everything is provided within the section toenable you to check your understanding of the materials.

The process is simple:

you are set SAQs throughout the study section


? 1


7/149


you respond to these, either by writing in the space provided in the assessmentitself, or in your notebook

on completion of the SAQ, you turn to the back of the section to compare themodel SAQ answers to your own

if youre not satisfied after checking out your responses, turn to the appropriate partof the study section and go over the topic again

Remember the answers to SAQs are contained within the study materials. You are notexpected to guess at these answers.

Activity

This symbol indicates an activity which is normally a task you will be asked to do whichshould improve or consolidate your understanding of the subject in general or a particularfeature of it.

The suggested responses to activities will follow directly after each activity.

Remember that the SAQs and activities contained within your package are intended toallow you to check your understanding and monitor your own progress throughout thecourse. It goes without saying that the answers to these should only be checked out afterthe SAQ or activity has been completed. If you refer to these answers before completingthe activities, you cannot expect to get maximum benefit from your course.

Tutor assignment formative assessment

This symbol means that a tutor assignment is to follow. This is found at the end of the unit.The aim of the tutor assignment is to cover and/or incorporate the main topics of thesections and prepare you for unit (summative) outcome assessment.


A 1

T 1


8/149


Other resources requiredYou will need access to a computer system with Windows 2000 with full administrative

rights. Access to other operating systems such as Windows 98, NT and XP as well asUnix/Linux and MAC OS would be advantageous.

Access to common networking equipment, such as routers, switches and hubs would alsobe advantageous.

To cover the whole unit, you will need a copy of the companion volume for this unitentitled: DF9P 34 Network Concepts: Introduction.



9/149


Assessment information

How you will be assessedYou will be assessed by either a 50-question restricted-response end-of-unit test or bysmaller subtests broken down as follows:

In Learning Outcome 1 you will be asked to complete a 10-question restricted-response test with a 70% pass mark, to assess your knowledge andunderstanding.


In Learning Outcome 3 you will be asked to complete an 18-question restricted-

response test with a 70% pass mark, to assess your knowledge andunderstanding.

Also in LO3 you will be asked to perform practical tasks, which will be recorded byyou in a logbook.


Also in LO4 you will be asked to perform practical tasks, which will be recorded byyou in a logbook.

When and where you will be assessedYou will be assessed by your tutor/assessor under supervised conditions.

What you have to achieve

You must answer at least 70% of the questions correctly in order to obtain a pass. Ifsubtests are used, they must also score at least 70% in each subtest.

Opportunities for reassessment

Normally, you will be given one attempt to pass an assessment with one reassessment

opportunity.Your centre will also have a policy covering 'exceptional' circumstances, for example, ifyou have been ill for an extended period of time. Each case will be considered on anindividual basis, and is at your centre's discretion (usually via written application), and theywill decide whether to allow a third attempt. Please contact your tutor for details regardinghow to apply.



10/149




11/149


Section 3: Implementing local area networks



12/149




13/149


Introduction to this section

What this section is about

You will be given the opportunity to install or witness the installation of a variety of LANs.You should put the information learned in Outcomes 1 and 2 to use here. You will learnhow to analyse a clients requirements and be able to offer a number of appropriatesolutions. This can be done manually using the advantages and disadvantages of mediacovered in Outcomes 1 and 2. You should be able to say which networks are appropriateand why other networks are not appropriates for given situations.

Outcomes, aims and objectives

Outcome 3 deals with the implementation of LANs.

Server operating systems: You will learn about the basic capabilities ofUnix/Linux, NetWare, Windows and Macintosh operating systems, looking at asmany releases as is practical.

Client workstations: Capabilities of client workstations with regard to connectivity,local security and authentication will be discussed. You will learn how to identifythese and their suitability for given situations.

VLANs: Benefits of VLANs (bandwidth management, administration costs,workgroups, security) will be introduced.

Network attached storage: Characteristics of network attached storage will beintroduced. You will learn how to install this type of storage device.

Fault tolerance and disaster recovery: The purpose and characteristics of faulttolerance and RAID hardware and software will be considered. You will look atdisaster recovery in terms of its purpose and characteristics and how it fits into thenetworks fault tolerance plan.

Firewalls and proxy servers: You will learn to identify the purpose, benefits andcharacteristics of using firewalls and proxy servers.

Security measures: You will learn how to identify the appropriate level of securityfor a given network and how this should be implemented.

Remote access: Given a remote connectivity scenario (e.g. IP, IPX, dial-up,PPPoE, authentication, physical connectivity etc.), you will learn how to configure

the connection. Network configuration: You will be given as much exposure and practice to the

installation of different network topologies as is practicable. Given a networkconfiguration, you should be able to select the appropriate NIC and networkconfiguration settings (DHCP, DNS, WINS, protocols, NetBIOS/host name, etc.).



14/149


Approximate study time

24 hours.

Other resources required

A computer running Windows 2000 Professional with a connection to a LAN or WAN.

Assessment information for this section

How you will be assessed

This section will be assessed by a restricted-response test and the completion of anactivity logbook.

Restricted-response testThe knowledge and skills component of this section will be examined by 18 questions, twoderived from each of the nine items listed above. Each question will be derived from asingle item.

Logbook

The logbook for this section must record that you have successfully completed each of thetasks listed below.

1 Configuring a remote access connectionDocumentary evidence that the candidate can configure a remote access

connection in accordance with a given specification.2 Selecting network configuration settings

Documentary evidence that the candidate can select network configuration settingsin accordance with a given specification.

When and where you will be assessed

You will be assessed by your tutor/assessor at an appropriate location where closed booktests can be taken.

What you have to achieve

You must achieve a pass mark of 70% or greater in the multiple choice test to pass thisoutcome.

Opportunities for reassessment

Normally, you will be given one attempt to pass an assessment with one reassessmentopportunity.



15/149


Your centre will also have a policy covering 'exceptional' circumstances, for example, ifyou have been ill for an extended period of time. Each case will be considered on anindividual basis, and is at your centre's discretion (usually via written application), and they

will decide whether to allow a third attempt. Please contact your tutor for details regardinghow to apply.



16/149


17/149


18/149


19/149


The latest version of Novells NetWare suite (currently version 6.5) contain NovelleDirectory, which is a high-end directory service that simplifies the management ofidentities and security access for employees, customers and partners. NetWare 6.5 also

includes Novell iManager, a convenient browser-based administration tool. iManagerprovides a global view of the network, no matter how widely dispersed it is.

Client support

NetWare 5 comes with Novell Client software for three client platforms: DOS and Windows3.1x, Windows 95/98, and Windows NT.

Interoperability

You can set the Novell Clients for Windows operating systems to work with one of threenetwork protocol options: IP only, IP and IPX, or IPX only.

File and print services

NetWare offers two choices of mutually compatible file services: Novell Storage Services(NSS) and the traditional NetWare file system. Both kinds of file services let you store,organise, manage, access, and retrieve data on the network.

NSS gathers all unpartitioned free space that exists on all the hard drives connected toyour server, together with any unused space in NetWare volumes, and places it into astorage pool. You create NSS volumes from this storage pool during server installation orlater through NWCONFIG.

Novell Distributed Print Services (NDPS) is the default and preferred print system inNetWare. NDPS supports IP-based as well as IPX-based printing.

Security

Novell has support for a public key infrastructure built into version of NetWare 5 onwards,which uses a using a public certificate, developed by RSA Security.

Windows

Windows NT

The windows operating system is probably the most commonly used operating systemtoday, although Linux has started making inroads in some areas.

Microsoft released Windows NT Advanced Server version 3.1 in 1993 (the NT stands for'new technology'). The user interface was immediately familiar, as it was the same as theone used in Windows 3.x. Windows NT progressed through versions 3.5 and 3.51 beforeMicrosoft released Windows NT version 4.0 in 1996. This had a similar user interface toWindows 95 at the time.

The introduction of NT allowed Microsoft to attack NetWares huge market share. NT is a32-bit network operating system that can run both 32-bit and legacy 16-bit Windows

http://studynotes.net/net2.htm#ipxhttp://studynotes.net/net2.htm#ipxhttp://studynotes.net/net2.htm#ipxhttp://studynotes.net/net2.htm#ipx


20/149


programs. In addition, it can run DOS, OS/2 and POSIX applications, which makes it moreflexible than other server operating systems.

NT can be used for file and print services but also provides an excellent application serverplatform. It supports multiple processors and can be run on RISC as well as Intel x86based systems.

The main features of NT are as follows:

A sophisticated security system

NT servers can be grouped into 'domains'; a single domain security database isused to add user details and provides access to resources on any of the servers

The use of a domain simplifies and centralises administration

The NT file system (NTFS) provides enhanced reliability and excellent file andfolder security

NT supports IPX/SPX, NetBEUI and TCP/IP, AppleTalk and DLC protocols

Clients supported include DOS, Windows, OS/2, Unix and Apple Macintosh

Directory Services in NT

In Windows NT, computers can be grouped together in domains. This provides forcentralised management of user and group accounts, together with a centralisedsecurity and system policy which can be used to set security and policy for computersthroughout the domain.

NT was very robust and was not prone to crashing, but the downside of was its poorhandling of hardware resources with no plug and play support. Thus installing new

hardware could at times be tricky and frustrating.

The Windows 2000 family

Windows NT was the main NOS product from Microsoft for many years, and over thoseyears Microsoft added more features to try and address users needs through updatescalled service packs. With Windows 2000, they have made considerable enhancements tothe product.

Windows 2000 Professional is the preferred 32bit desktop environment, providing acombination of Windows 98 usability and Windows NT 4 reliability. New features includesupport for power management, plug and play and support for new file system features,including Encrypting File System (EFS).

The main features of Windows 2000 are as follows:

Support for the file systems FAT16, FAT32 and NTFS

Increased uptime of the system and significantly fewer operating system crashesrequiring a reboot



21/149


The implementation of Windows Installer, which tracks applications installationsand recognises and replaces missing components

Protection of the memory of individual applications and processes to avoid a singleapplication bringing the system down

Encrypted file systems to protect sensitive data

Secure VPN supports tunnelling into a private LAN over the Internet

Personalised menus adapt to the way users work

The multilingual version allows switching of the user interface and Help language,based on logon

Includes broader support for high-speed networking devices, including native ATMand cable modems

Support for universal serial bus (USB) and IEEE 1394 for a greater range ofbandwidth devices

There are three types of Windows 2000 Server, each with features appropriate to thetarget audience. All share the same core features as Windows 2000 Professional, buthave additional features.

The Windows 2000 Server is the standard entry-level server platform, providing similarpower to the Windows NT 4 Server. However, it also includes support for TerminalServices and Active Directory. Windows 2000 Server has the ability to handle up to twoprocessors.

Users requiring more power and greater scope for scalability should opt for Windows 2000Advanced Server, which is similar in power to Windows NT 4 Enterprise Server. It provides

enhanced scalability and clustering support. Windows 2000 Advanced Server has theability to handle up to eight processors.

Users who need an enterprise-size database or web servers should opt for the Windows2000 DataCenter Server. This is currently the most powerful server product in the range. Itis used for real-time transaction processing and database services and provides thecapabilities of Windows 2000 Advanced Server plus more scalability. Windows 2000DatacenterServer has the ability to handle up to 32 processors.

Directory services in Windows 2000

In Windows 2000, the directory service is provided by Active Directory, a centralised andstandardised system that automates network management of user data, security, anddistributed resources, and enables interoperation with other directories.

As with Windows NT, domains provide the primary grouping of users, groups andcomputers. However, delegation of administration is provided by organisational units, andgeographic considerations are implemented using site objects.



22/149


Combining NT and NetWare

Microsoft provides two possible solutions for the integration of NT and NetWare servers.These can be described as a client-based solution and a server-based solution.

Client-based solution

This solution may be applied to both Windows 9x and NT Workstation/Windows 2000Professional; the client requires an additional redirector installed to allow it to talk to theNetWare servers. Assuming that the client is currently running the Microsoft redirector(client for Microsoft networks) and a protocol other than IPX/SPX (NWLink), the followingis required:

Add the IPX/SPX (NWLink) protocol

For NT Workstation/Windows 2000 add Client Services for NetWare (CSNW) or forWindows 9x add the Client for NetWare networks

Server-based solution

The server-based solution leaves the client configuration unchanged and uses theWindows NT Server/Windows 2000 Server to pass requests to the NetWare server. TheWindows server requires:

The IPX/SPX (NWLink) protocol

Gateway Services for NetWare (GSNW)

You will also need to create a user account on the NetWare server with sufficientpermissions to access resources on behalf on the clients. In addition, this account must bea member of a group, on the NetWare server, called NTGATEWAY.

Client support

Windows 2000 supports Windows 3.x, Windows 95, Windows 98, and Windows NTWorkstation 4.0.

Interoperability

Windows 2000 Server supports Unix, Novell NetWare, Windows NT Server 4.0, andMacintosh.

Authentication

Successful user authentication in a Windows 2000 computing environment consists of twoseparate processes: interactive logon, which confirms the user's identification to either adomain account or a local computer, and network authentication, which confirms the user'sidentification to any network service that the user attempts to access.

Types of authentication that Windows 2000 supports are as follows:



23/149


Kerberos V5 is used with either a password or a smart card for interactive logon. Itis also the default method of network authentication for services. The Kerberos V5protocol verifies both the identity of the user and network services.

Secure Socket Layer/Transport Layer Security (SSL/TLS) authentication, is usedwhen a user attempts to access a secure Web server.


You can add and maintain printers in Windows 2000 using the print administration wizard,and you can add file shares using Active Directory management tools. Windows 2000 alsooffers Distributed File Services, which let you combine files on more than one server into asingle share.

http://studynotes.net/net2.htm#kerhttp://studynotes.net/net2.htm#sslhttp://studynotes.net/net2.htm#sslhttp://studynotes.net/net2.htm#kerhttp://studynotes.net/net2.htm#ssl


24/149


Security

User-level security protects shared network resources by requiring that a security provider

authenticate a users request to access resources. The domain controller grants access tothe shared resource by verifying that the user name and password are the same as thoseon the user account list stored with the network security provider. Because the securityprovider maintains a network-wide list of user accounts and passwords, each clientcomputer does not have to store a list of accounts.

Share-level security protects shared network resources on the computer with individuallyassigned passwords. For example, you can assign a password to a folder or a locallyattached printer. If other users want to access it, they need to type in the appropriatepassword. If you do not assign a password to a shared resource, every user with access tothe network can access that resource.

Apple Macintosh

Mac OS X Server, is Apples NOS, which was introduced to rival Windows NT, NovellNetWare, and Linux operating systems.

Mac OS X Server provides file and print sharing, a web server, and multimedia contentstreaming services to Apple Macintosh-based networks. Mac OS X Server also introducesNetBoot and Macintosh Management Services, features designed to ease theadministrative tasks involved with Macintosh networks and save IT administrators time.

The first Macintosh NOS is a robust server that will fulfil the networking needs ofMacintosh web design shops, companies supporting Macintosh clients, and Macintoshworkgroups or labs.

Client support

Mac OS X supportsTCP/IP file sharing with Macintosh clients using Network File System(NFS), and File Transfer Apple File Protocol 3.0.

Interoperability

Mac OS X Server uses SAMBA to provide Windows users with SMB file sharing. NFS letsyou make folders available to Unix and Linux users.

Authentication

Kerberos is used to support centralised login authentication.


Mac OS X Server provides support for native Macintosh, Windows, Unix, and Linux filesharing. Protocols supported include:

Apple file services (AFP 3.0) from any AppleShare client over TCP/IP

Windows (SMB/CIFS) file sharing using SAMBA

http://studynotes.net/net2.htm#tcphttp://studynotes.net/net2.htm#tcphttp://studynotes.net/net2.htm#tcp


25/149


26/149


Write a short description of the major NOS (network operating systems), summarising theirmajor points. Include Unix, Linux, Novell, Microsoft and Apple Macintosh in yourdescription.


? 3.1.1


27/149


VLANs

We looked at networking devices earlier in this unit and we looked at hubs, switches and

routers in particular.

We looked at how hubs create one broadcast domain and one collision domain. Switchesalso create one single broadcast domain, but they do segment the network by breaking thesegment up into a series of collision domains.

As we learned earlier, a router can break a segment up into separate collision domainsand broadcast domains.

In a large network, using hubs or switches throughout the network means that broadcastpackets will be propagated through the network, in some cases bringing the network downto unacceptable performance levels. The network may be segmented by the use ofrouters, which stop broadcast packets from being propagated. However, extensive use of

routers (which can add a lot of latency or delay) can result in unacceptable delays of datatransfer over the network.

A solution to this problem is to use what is known as a virtual LAN (VLAN). A VLAN is alogical grouping together of host computers where broadcasts are limited to the VLAN onlyand not to other hosts outside of the VLAN. You can set up many VLANs on the sameswitch, depending on your needs. VLANs divide the switched network into separatebroadcast domains, giving the advantages of a router but without the latency problems.

VLANs within a switch must be programmed by a network administrator and this can be alot of work in a complicated network configuration. This is not just related to the initialsetup, but also to keeping track of users computers and their MAC addresses, asmembers of the VLAN are commonly assigned by their MAC address.

Users within a VLAN do not need to be grouped in the same area, as VLANs allowmembers of teams that are on different floors within a building to be logically groupedwithin a VLAN. Thus VLANs provide independence from the physical topology of thenetwork by allowing workgroups in different areas to be logically connected within a singlebroadcast domain.

A VLAN network forwards frames only to the intended recipients, and broadcast framesonly to other members of the VLAN. This allows the network administrator to segmentusers requiring access to sensitive information into VLANs that are separate from the restof the general user community regardless of physical location, thus enhancing security.

If two hosts on two different VLANs want to communicate with each other, this requires theuse of a router, as routers work at layer 3 of the OSI model (i.e. IP addresses) and do not

take into account the VLAN information that resides at layer 2 (i.e. MAC addresses)The bandwidth shared between users across the VLANs is greatly enhanced due to thereduction in the number of broadcasts that are being sent.



28/149


Figure 33 shows how users on different switches and possibly in different locations can beconnected to the same VLAN.

Figure 33 Users on different switches connected to the same VLAN

Describe what a VLAN is and how it is beneficial in a network.


? 3.2

VLAN1 VLAN2 VLAN3

PC

Switch

Switch

Switch

PC

PC

PC

PC

PC


29/149


30/149


Fault tolerance and disaster recovery

Fault tolerance

Fault tolerance is a process by which a duplicate system or service runs alongside theexisting system or service so that, in the event of a failure, the duplicate can re-create thesystem or service.

There are many levels of fault tolerance, the lowest being the ability to continue operationin the event of a power failure. Many fault tolerant computer systems mirror all operations,that is duplicate every operation on two or more duplicate systems, so if one fails the othercan take over.

Fault tolerance refers to software or hardware options that allow a system to continueoperating in case a particular component fails. Below are some of the most common fault

tolerant configurations.

Redundant network connections

A faulty NIC (network interface card) or cable can prevent an entire server from providingits services to users. To prevent a NIC, and the connection, from being a single-point offailure for the entire server, an extra NIC can be installed. These NICs can be combined toprovide load balancing so that they can share the load of traffic and/or fault tolerance.

Mirrored servers

A more advanced solution is to mirror complete servers using two or more nodes(servers). If a node fails another node takes over its duties. This process is known as

failover. In modern configurations, the nodes connect to a shared storage device usingfibre optic cabling. Some editions of Windows 2003 support up to eight nodes in a cluster.

RAID

RAID stands for Redundant Array of Inexpensive (or Independent) Disks, and is commonlyused on servers in corporate environments. It allows multiple hard disks to be combined inmany combinations, some offering speed enhancements, some offering backup of datashould one disk fail, and some both. We will look at RAID levels 1 to 7 and also raid 53and the properties, benefits and disadvantages of each

RAID 0 is known as a stripe set. It requires at least two hard disks, but does not

offer any fault tolerance; it's merely a method of combining hard disks to allow forlarger volumes and performance enhancements. When a file is written to a RAID 0stripe set with two disks, the first block is written to the first disk, the second blockto the second disk, the third data block is written on the first disk, the fourth to thesecond disk and so on. If one of the hard disks in the stripe set fails, then the datafrom the entire stripe set is lost and needs to be rebuilt and restored from a backup.

RAID 1 is also known as disk mirroring or disk duplexing. This configurationrequires two, in some cases identical, hard disks. When the operating system



31/149


32/149


software. If two disks in a RAID 5 set fail, you will need to replace the disks andrestore the information from backup.

RAID 53 is implemented as a striped (RAID level 0) array whose segments areRAID 3 arrays. RAID 53 has the same fault tolerance as RAID 3 as well as thesame fault tolerance overhead. RAID Level 53 requires a minimum of five drives toimplement. The advantage of RAID 53 is that high data transfer rates are achievedbecause it uses RAID 3 array segments and high I/O rates for small requests areachieved thanks to its RAID 0 striping. Raid 53 is a good solution forimplementations where RAID 3 might have been chosen, but an additionalperformance boost is required. RAID 53 can be very expensive to implement, alldisk spindles must be synchronised, which limits the choice of drives. Byte stripingalso results in poor utilisation of formatted capacity thus there can be wasted spaceon the drive.

RAID 6 is essentially an extension of RAID 5 that allows for additional fault

tolerance by using a second independent distributed parity scheme (two-dimensional parity). The advantage of RAID 6 is that data is striped on a block levelacross a set of drives, just like in RAID 5, and a second set of parity is calculatedand written across all the drives and so provides for an extremely high data faulttolerance and can sustain multiple, simultaneous drive failures. However, RAID 6has a very complex controller design, the controller overhead to compute parityaddresses is extremely high, which leads to very poor write performance.

RAID 7 has the features of optimised asynchrony which results in high I/O rates aswell as high data transfer rates. As all of the input and outputs are asynchronous,independently controlled and cached, overall write performance is 25% to 90%better than single spindle performance and 1.5 to 6 times better than other arraylevels. Host interfaces are scalable for connectivity or increased host transferbandwidth. Small reads in multi-user environments have very high cache hit rateresulting in near zero access times. Write performance improves with an increasein the number of drives in the array. The disadvantage of RAID 7 is that it is a one-vendor proprietary solution by Storage Computer Corporation. There is also anextremely high cost per megabyte . Also the power supply implemented must be anuninterruptible power supply (UPS) to prevent loss of cache data in the event of apower failure.

Hot-spare

Fault tolerance RAID configurations implemented in hardware usually offer hot-swappabledrives. This means you can pull out and replace a drive while the system is running, and it

will perform the reconstruction of the data automatically.

In general hot-spare devices are fully configured devices that are kept in storage that areidentical to devices that are currently implemented ones and these can be used to replacethe running system in case of a disaster. Examples include routers, switches and completeservers or disks in a hardware configured RAID array. Hot-spare systems are also knownas standby systems.



33/149


UPS

A UPS (uninterruptible power supply) is a hardware device that is placed between thepower socket and the computer system. The computer system is usually some form ofcritical network device which includes servers, routers and switches.

A UPS is a battery backup device that is constantly being charged when power is beingsupplied to a device. When the main power fails, the UPS battery backup system takesover and keep the devices running. Usually a UPS will only function long enough to keepthe system running so that the system can be properly shut down. In the best case only isit used to run until the main power is restored.

Disaster recovery

Even if you have fault tolerance built into your system, it doesn't mean you have completedisaster recovery.

You must still plan your disaster recovery and look on it as an essential task, no matter thelevel of fault-tolerance. Backing up data to tape regularly is the most common method toprepare for disaster recovery. Below are some important practices to consider whendeveloping a tape backup strategy.

Tape rotation scheme

Ensure you use a carefully planned tape rotation scheme. You want to avoid data on tapesfrom being overwritten too frequently; problems with data occur long before they arediscovered. On the other hand, using a new tape for every single day is often too costly. Acommon rotation scheme is called the grandfatherfatherson (GFS). For example, ason tape is used for daily incremental backups on Monday to Thursday; these four tapes

are reused weekly. A father tape is used for a full backup on Friday; a different tape existsfor every Friday in a month. These five tapes are then reused monthly. A grandfather tapeis used to perform a full backup on the last business day of each month in a quarter, thesethree tapes are reused quarterly. This strategy provides you with the ability to restore datafrom the last week, plus any Friday over the last month, plus any month for as manymonthly tapes as you have.



34/149


The GFS scheme is shown in Figure 34. (The most recent backups are shown in bold)

Monday Tuesday Wednesday Thursday Friday

31

Month1

1

Tuesday

2

Wednesday

3

Thursday

4

Week1

7

Monday

8

Tuesday

9

Wednesday

10

Thursday

11

Week2

14

Monday

15

Tuesday

16

Wednesday

17

Thursday

18

Week3

21

Monday

22

Tuesday

23

Wednesday

24

Thursday

25

Week4

28

Monday

29

Tuesday

30

Month2

Figure 34 Grandfatherfatherson tape rotation scheme

It is a good idea to store backup tapes at an off-site location for safety, then should thebuilding storing the server computers goes up in flames, the backup tapes will be safelystored in another building. Having employees storing backup tapes at home is generallynot a good idea, however. Storage tapes should be locked in a fireproof safe; this doesn'tmean they will be completely safe from fire, as the heat can get so intense that the tapesmelt.

Backup types

To understand what is meant above paragraphs by full, differential and incrementalcommon backup types, you need to understand the archive file attribute. If a file has thisattribute, it means it has changed since the previous time the archive attribute was turnedoff. An archive attribute can be turned off by performing certain types of backup, ormanually by using the 'attrib' command line utility or Windows Explorer, for example. Belowis a list of the most common backup types:

Normal/full

Backs up every selected file, regardless of the archive attribute setting, and clears thearchive attribute. The normal backup type is best when a large amount of data changesbetween backups or to provide a baseline for the other backup types.

The advantages of full backup are:

Files are easy to find because they are always on a current backup of your systemor on one medium.



35/149


File recovery requires only one medium or set of media.

The disadvantages of full backup are:

It is very time-consuming, as all files are backed up this make take a lot of time.

If files do not change frequently, full backups are redundant as files that haventchanged are backed up and they would have been on the previous backup as well.

Copy

Backs up every selected file, regardless of the archive attribute setting. Does not clear thearchive attribute.

The advantages of copy backup are:

Files are easy to find because they are always on a current backup of your systemor on one medium.

File recovery requires only one medium or set of media.

Only files that are wanted are backup thus it is quicker.

The disadvantages of copy backup are:

It is time-consuming because you must specify which files are to be backed up.

Daily

Backs up every selected file that has changed that day, regardless of the archive attributesetting. Does not clear the archive attribute. While this may not sound especially useful, itcan be helpful if you want to take work home and need a quick way to select all the files

that you worked on that day.

The advantages of daily backup are:

It allows you to backup files worked on that day.

The disadvantages of daily backup are:

A restore of the data can take time, as the full backup and all daily backups mustbe restored.

It is not a commonly used backup type as its use is limited.

Incremental

Backs up only those files created or changed since the last normal or incremental backup,and clears the archive attribute. This method is used in combination with a periodic fullbackup, for example, a normal/full backup on Mondays and an incremental backup on theremaining days of the week. In case of a restore, you need the last normal backup as wellas all incremental backups since the last normal backup. The incremental backup type isbest to record the progression of frequently changed data.

The advantages of incremental backup are:



36/149


It requires the least data storage space.

It is the least time-consuming.

The disadvantages of incremental backup are:

Files can be difficult to find, because they can be on several media.

Differential

Backs up only those files created or changed since the last normal or incremental backup,but does not clear the archive attribute. This method is also used in combination with aperiodic full backup, for example, a normal/full backup on Mondays and a differentialbackup on the remaining days of the week. In case of a restore, you need the last normalbackup and the last differential backup. The differential backup type simplifies the processfor restoring files.

The advantages of differential backup are: Recovery requires only the last normal backup medium and last differential

medium.

It is less time-consuming than normal backups.

The disadvantages of differential backup are:

Recovery takes longer than if files were on a single medium.

If large amounts of data change daily, backups can consume more time thanincremental backups.



37/149


Write your answers to the questions below on a piece of paper. When you are finished,check your answers with the ones at the end of the section. If there is anything you are notsure about, re-read the material and ask your tutor for clarification if necessary.

1 What does NAS stand for?

2 What is meant by the term fault tolerance?

3 Explain what RAID 0 is.

4 Explain what RAID 1 is

5 Explain what RAID 5 is

6 What does UPS stand for and what is it used for?

7 What does a full backup do?8 What does an incremental backup do?

9 What does a differential backup do?


?

3.3


38/149


Firewalls and proxy servers

In its simplest form, a firewall is a device that may be hardware or software based thatprevents data packets from entering or leaving a network device that is attached to thefirewall. The firewall will have a set of rules and each packet must be checked against thefirewalls criteria before it is either forwarded or blocked.

There are two types of firewall:

Filtering firewalls

Filtering firewall block selected network packets based on set criteria

Proxy servers

Proxy servers intercept all messages entering and leaving the network. The proxy server

effectively makes network connections for you, thus hiding you from the outside world.

Packet filtering firewalls

A filtering firewall works at the network layer of the OSI model. Data is only allowed toenter or leave the system if the firewall rules allow it. As packets arrive or leave the firewallthey are filtered by a number of factors that the administrator may set, such as their type,source address, destination address, and port information contained in each packet.

Because very little data is analysed and logged, filtering firewalls take less CPU power andcreate less latency in your network. Firewalls can be found on most network routers.

Filtering firewalls do not provide for password controls. Users cannot identify themselves;the only identity a user has is the IP number assigned to their workstation. This can be aproblem if you are going to use DHCP (dynamic host configuration protocol). This isbecause rules are based on IP numbers, so you have to adjust the rules as new IPnumbers are assigned or devise a system whereby certain users are always allocated acertain type of IP address for them to be recognised by the firewall.

Filtering firewalls are more transparent to the user. The user does not have to set up rulesin their applications to use the Internet.

Figure 35 shows a common configuration for a firewall. It sits between users on a LAN andthe Internet and prevents unwanted traffic from the Internet filtering through to the LAN.



39/149


40/149


Application proxy

The application proxy goes and gets the data for you and stores it in its cache.

Because proxy servers are handling all the communications, they can log everything they(you) do. For HTTP (web) proxies, this includes every URL that you see. For FTP proxies,this includes every file you download. They can even filter out inappropriate words fromthe sites you visit or scan for viruses.

Application proxy servers can authenticate users. Before a connection to the outside ismade, the server can ask the user to login first. To a web user this would make every sitelook like it required a login.

SOCKS proxy

A SOCKS server is a lot like an old switch board. It simply cross wires your connection

through the system to another outside connection.Most SOCKS servers only work with TCP type connections, and, like filtering firewalls,they don't provide for user authentication. They can however record where each userconnected to.

Figure 36 shows how a simple web page request is handled by the proxy server.

Figure 36A proxy server handling a simple web page request


PC Webbrowser

Requests to get Microsofthome page atHttp://www.microsoft.com

Proxy

server

Microsoftwebserver

The proxyserver fetchesthe page for thebrowser andalso stores it inits cache forfuture use

The proxy serverforwards the locallycached page to theweb browser


41/149


42/149


Accidental deletion of data

An extension of unauthorised access, accidentally erasing or corrupting data is just as itsounds: a user may have permissions to access a particular shared folder and mayaccidentally delete the contents of the shared file that is there. It is the networkadministrators responsibility to ensure that the users do not have the rights to delete thefile.

Many users believe that systems are configured in such a way that the network would notallow them to do anything inappropriate. As a result, users often assume theyreauthorised to make any changes they believe are necessary when working on a piece ofdata. Therefore it is the network administrators responsibility to ensure data is lockeddown appropriately but not so far that it prevents users from doing their work; it can be adifficult task for an administrator to quantify this and there is a fine line between being tolenient and being over zealous.

Administrative access

Every NOS contains a number of administrative tools and functionality. Networkadministrators need these tools to get all kinds of work done, but it is equally important tokeep these capabilities out of the reach of those who dont need them. Clearly givingregular users administrator rights is a bad idea. Protecting administrative programs andfunctions from access and abuse by users is fairly easy, but giving users the necessaryrights for them to do their job properly is a real challenge and one that requires anextensive knowledge of the NOS being used.

System crash/hardware failure

Servers and network devices, like any other modern technology, will fail usually when you

can least afford for it to happen. Hard drives can crash losing data or servers lock up; evensomething such as a power failure can cause problems. Therefore redundancy must bebuilt into areas prone to failure (for example, installing UPS in case of a power failure). Thesystem must have the ability to make data backups.

Preventing threats

The majority of prevention techniques related to internal threats will be on policies andpermissions rather than technology. Even the smallest network will have a number of useraccounts and groups scattered about with different levels of rights/permissions. Every timeyou give a user access to a resource, you create potential loopholes that can leave yournetwork vulnerable to unauthorised access, data destruction and other administrative

nightmares. To protect your network from internal threats, you need to implement the rightcontrols over passwords, user accounts, permissions, and policies.

Passwords

Passwords are the ultimate key to protecting your network. A user account with a validpassword will get you into any system. Even if the user account only has limitedpermissions, you still have a security breach.



43/149


You must protect your password system. Never give out passwords over the phone. If auser loses a password, an administrator should reset the password to a complexcombination of letters and numbers, and then allow the user to change the password to

something they want. All of the stronger NOS have this capability. Windows 2000 Server,for example, provides a setting called User must change password at next logon.

Make your users choose good passwords. Its is frightening how many people, even so-called computer experts use obvious passwords, like their childrens names or their petsname, which are very easy to guess. So make sure you use and enforce strongpasswords: at least six to eight characters in length, including letters, numbers, andpunctuation symbols. To increase security, make sure you make your users change theirpasswords regularly and not to be able to reuse an old password.

Physical protection

Most network administrators/technicians consider the installation of a firewall and

introducing password and policies a critical step in securing the network. But physicalsecurity must be a major consideration for the protection of your network. It is very simpleto protect your networking equipment and servers: simply put them under lock and keywith very strict access. Large organisations have special server rooms, complete withlocks and tracking of anyone who enters or exits. Smaller organisations will at least have alocked closet.

Physical server protection doesnt stop with a locked door. One of the most commonmistakes made by technicians and administrators is walking away from a server while it isstill logged on. Therefore make a point of always logging off your server when it is not inuse. As a precaution against forgetting this, add a password-protected screen saver.Users can find a way into a system by misuse of passwords, so tell users to be vigilantabout their work areas. It is very common to find users leaving passwords available. If youwalk into any workroom and open a few desk drawers, you will commonly find passwordswritten on small pieces of paper. Get users to remember their passwords or at the veryleast and in the worst case scenario, to keep a password in a locked drawer.

Port filtering

Port filtering, also called port blocking is a way of preventing any TCP or UDP packetsgetting through any ports other than the ones allowed by the system administrator. Portfiltering is effective, but it requires some serious configuration to work properly. Thequestion is always, Which ports do I allow into the network? No one has problems withthe well-known ports like 80 (HTTP), 20/21 (FTP), 25 (SMTP), and 110 (POP), but there isa large number of lesser-known ports that networks often want opened. Some applications

need a certain port to be opened; if this application is critical to the business then open it,otherwise leave it blocked.

Port filters have many different interface types ranging from a web-based interface to text-based command line interfaces which are common on high end CISCO routers.



44/149


Packet filtering

Port filtering deals only with port numbers; it completely disregards IP addresses. If an IPpacket comes in with a filtered port number, the packet is blocked, regardless of the IPaddress. Packet filtering works in the same way, except it only looks at the IP addresses.

Packet filters, also known as IP filters, will block any incoming or outgoing packet from aparticular IP address or range of IP addresses.

Encryption

The growth of online purchases via the Internet and the storage of sensitive data hasbrought a need for some form of protection for this information to make it secure. Thesecurity of such data can be ensured by using a form of encryption. Encryption can bethought of as the translation of data into a coded form that can only be decrypted byauthorised people. To open a piece of encrypted data, an authorised user must have

access to a secret key or password that enables them to decrypt it. Unencrypted data iscalled plain text; encrypted data is referred to as cipher text.

Encryption can be used to further protect data from unauthorised viewing. Two methods toachieve encryption are data encryption standard and public key encryption.

Figure 37 shows a simple example of encryption/decryption

Figure 37An example of encryption/decryption


Encryption processusing a key

Decryption processusing the same key

Decrypted message:

Hello, your password for the service is P@ssw0rd

Encrypted message:

dhffrncncd/g;ytygfghfgh[]hlrlfee345bdd

Original message:

Hello, your password for the service is P@ssw0rd


45/149


Data encryption standard

Data encryption standard (DES) divides message into blocks and processes the blocksinto multiple iterations. Both parties have to know the key that encrypted the message.

DES is a widely used method of data encryption using a private (or secret) key. There are72,000,000,000,000,000 or more possible encryption keys that can be used. For eachgiven message, the key is chosen at random from among this enormous number of keys.Like other private key cryptographic methods, both the sender and the receiver must knowand use the same private key.

DES applies a 56-bit key to each 64-bit block of data. The process can run in severalmodes and involves 16 rounds or operations. Although this is considered to be strongencryption, many companies use triple DES, which applies three keys in succession. Thisis not to say that a DES-encrypted message cannot be broken. Early in 1997,Rivest-Shamir-Adleman, owners of another encryption approach, offered a $10,000 reward forbreaking a DES message. A cooperative effort on the Internet of over 14,000 computer

users trying out various keys finally deciphered the message, discovering the key afterrunning through only 18 quadrillion of the 72 quadrillion possible keys! Few messages senttoday with DES encryption are likely to be subject to this kind of code-breaking effort.

DES originated at IBM in 1977 and was adopted by the US Department of Defense. It isspecified in the ANSI X3.92 and X3.106 standards and in the Federal FIPS 46 and 81standards. Concerned that the encryption algorithm could be used by unfriendlygovernments, the US government has prevented export of the encryption software.However, free versions of the software are widely available on bulletin board services andweb sites. Since there is some concern that the encryption algorithm will remain relativelyunbreakable, NIST (National Institute of Standards and Technology) has indicated that DES willnot be recertified as a standard and submissions for its replacement are being accepted.

Public key encryption

Public key encryption (PKE) is an encryption scheme where each person gets a pair ofkeys, called the public key and the private key. Each person's public key is published whilethe private key is kept secret. Messages are encrypted using the intended recipient'spublic key and can only be decrypted using their private key. This is often used inconjunction with a digital signature. A digital certificate is basically a piece of informationthat says that the web server is trusted by an independent source known as a certificateauthority. The certificate authority acts as a middleman that both computers trust. Itconfirms that each computer is in fact who it says it is, and then provides the public keys ofeach computer to the other

The need for sender and receiver to share secret information (keys) via some securechannel is eliminated: all communications involve only public keys, and no private key isever transmitted or shared.

PKE can be used for authentication, confidentiality, and integrity.



46/149


Write your answers to the questions below on a piece of paper. When you are finished,check your answers with the ones at the end of the section. If there is anything you are not

sure about, re-read the material and ask your tutor for clarification if necessary.

1 What is the purpose of a firewall?

2 What does a proxy server do?

3 What is the purpose of port filtering?

4 Explain what a packet filter does

5 What does encryption mean in relation to a network?


? 3.4


47/149


Remote access

Remote access is used in most business over the world because there is a need to accessor share information outside of the actual workplace. There are four common types ofremote access:

Dial-up to the Internet: using a dial-up connection to connect to your Internetservice provider (ISP)

Private dial-up: using a dial-up connection to connect to your private network

VPN: using an Internet connection to connect to a private network

Dedicated connection: using a non-dial-up connection to another private networkor the Internet

In this section we will look at configuring these four types of connections in a Windows

environment. We will also look at security and authentication protocols and learn how toconfigure these.

Dial-up to the Internet

Dialling up to the Internet is the oldest, cheapest, and the most common way for home andsmall office users to connect to the Internet. Dial-up requires you to have some method forcreating a connection to your ISP. At the very least, you need:

The telephone number to dial to connect to your ISPs servers

A modem to make the connection

A user name and password (provided to you by the ISP)

Type of connection protocol to take care of the transmission (PPP or SLIP)

IP address information (provided to you by the ISP)

Also keep in mind that you might have more than one dial-up connection. Your operatingsystem needs a way to create and store multiple connections for you to choose fromdepending on which dial-up connection you want to make at a given moment. Everyversion of Microsoft Windows since Windows 95 comes with some tool to help you set upyour dial-up connections. This tool has had many names. Its called Dial-Up Networking(DUN) in Windows NT and 9x and it treats dial-up connections separately from othernetwork connections. Windows 2000 calls it Network and Dial-up Connections; WindowsXP calls it Network Connections, combining dial-up connections into the same dialog box

as your other network connections. Whichever operating system you use, and whateverthe name of it, the aim of the tool is to get you to create dial-up connections.

Although these programs have different names, they are accessed the same way, going toSTART then PROGRAMS then ACCESSORIES then COMMUNICATIONS then choosingthe name of the tool, whether is it Dial Up Networking or Network Connections

All of these tools have a Make new connection icon (or Create a new connection optionin Windows XP) that starts a wizard which guides you through the steps to make the



48/149


connections you need. Every version of Windows has a slightly different wizard. Eventhough these wizards may each have their own look, they all do the same thing which is tomake a new connection. The screen shots below take you through the process for creating

a dial-up connection in Windows 2000.The Windows 2000 Network Connection Wizard is an intelligent wizard that changesbased on how youre connected to the network (domain vs. workgroup) and other settings.

We will now go through the process for configuring a dial-up connection to the Internet.

Figure 38Network Connection Wizard welcome screen

Once you run the wizard, you will see a screen like that shown in Figure 38 telling youwhat the wizard will do.



49/149


Figure 39 Choosing type of network connection

Once you click Next on the initial screen, you will see a screen similar that in Figure 39,where you can either dial into a private network, dial up to the Internet, connect to a privatenetwork through the Internet (VPN) or connect directly to another computer via serial,parallel or infrared connections, that is, not via a network card.

We are going to set up the dial-up connection to the Internet so select the Dial-up to theInternet and click Next.

Figure 40 Selecting a modem

The screen shown in Figure 40 pops up and asks what modem we would like to use for

our connection. In this case, choose the modem connected to your computer. Somecomputers may have more than one modem or more than one way to connect to theInternet, so it is important to make the correct choice here.



50/149


Figure 41

The screen shown in Figure 41 displays the welcome page for the Internet ConnectionWizard. As some people that connect to the Internet are not experts, the wizard gives theuser the choice for more automated setups for common ISPs, either built into Windows(like MSN) or via CDs provided by the ISP.

As we are (or should be) fairly familiar with how to make a connection, well set up theconnection manually. Note that if you connect to the Internet via a LAN, you would makethe same choice. Now click Next and choose how you want to connect to the Internetusing the screen shown in Figure 42.



51/149


Figure 42 Choosing a modem or LAN connection

As we want to set up a modem connection, I connect through a phone line and modem isthe correct choice. (If you were setting up a connection to the Internet, you would choose Iconnect through a LAN).

Figure 43 Selecting a modem



52/149


In the screen shown in Figure 43, the wizard may ask which modem you want to use toconnect to the Internet.

Figure 44 Providing connection information

The wizard is now prompting you for a telephone number, as shown in Figure 44, whichwill be used to connect to your ISP. You can select your country/region name and codefrom the drop-down list. Enter your details and click Next.

You will see the term dialling rules here. A dialling rule is a set of rules that tells themodem how to dial from your current location. For instance, a lot of corporate phonesystems require users to dial 9 to get an outside line. Or sometimes you may wish todisable the call waiting option so that an incoming call wont hang up the Internetconnection. Also many ISPs require the caller ID to be shown and many users wish towithhold this information, this can be set here.

The wizard now prompts you for the user name and password you use to connect to yourISP, as shown in Figure 45. These details together with the phone number will be suppliedby your ISP. Simply fill in these details and click Next.



53/149


Figure 45 Providing user details

The wizard now prompts you for a name for the connection that you have just created, asshown in Figure 46. Choose a name that means something to you, especially if you createmultiple connections to different ISPs.

Figure 46 Creating connection name



54/149


The wizard now asks you if you want to create an Internet Mail account as shown in Figure47. If your ISP has provided details for your mail server, this is where you should enterthem. I have chosen to say no to this option. You can always go into your mail client

software and set Internet mail up from there.

Figure 47Internet mail account

Figure 48 Completion of the Internet Connection Wizard



55/149


56/149


Security and authentication

The need for good robust authentication methods are important, especially in dial-up

situations where a hacker may find this as an easy route in to a network.

Any modem configured to accept incoming calls that could effectively be open to the publicis a massive security loophole. Therefore a protocol called remote authentication dial-inuser service (RADIUS) was introduced. A RADIUS server keeps track of all authoriseddial-in users and their passwords, effectively locking out any unauthorised remote accessattempts.

In the Dial-up to the Internet section, we did not look at the Properties dialogue box in toomuch detail. However, we will now look at the Security tab here, as that is the area thatyou would use to configure authentication for private dial-up clients.

The Security options area is where you configure an authentication protocol. To see these

advanced security settings, choose your dial-up connection and right click it with themouse and then click Properties. The Properties box will then be displayed, as shown inFigure 49.

Figure 49 Dial-up connection properties



57/149


Now click the Security tab. While in the Security tab, click on Advanced (custom settings)and then click the Settings button as shown in Figure 50.

Figure 50 Security settings

The authentication protocols that Windows supports are then displayed, as shown inFigure 51.

Figure 51Authentication protocols



58/149


Here is a list of the authentication protocols shown on the Advanced Security Settings taband what they can be used for.

Extensible Authentication Protocol (EAP): uses a special device, usuallysomething like a smart card to create the encryption and to identify which sourcethe encryption originated from. This is used to uniquely identify a host.

Unencrypted Password (PAP): Password Authentication Protocol is the oldestand most basic form of authentication. Its also the least safe, because it sends allpasswords in clear text.

Shiva Password Authentication Protocol (SPAP): Shiva is the brand name for afamily of popular remote access servers. The SPAP is a unique encrypted protocolused to enable Windows clients to connect to these servers.

Challenge Handshake Authentication Protocol (CHAP): the most commonremote access protocol. CHAP makes the serving system challenge the commonremote client, which must provide an encrypted password.

Microsoft CHAP (MS-CHAP): Microsofts variation of the CHAP protocol, whichuses a slightly more advanced encryption protocol. Microsoft CHAP Version 2(MS-CHAP v2) is yet another improvement on MS-CHAP.

Multiple protocols may be ticked here and used simultaneously. If this is the case, theclient that is dialling up will be allowed to try a number of authentication protocols until itfinds one that the RAS server system will accept.

Data encryption

We looked at types of data encryption earlier in the unit. Many networks consist of multiplenetworks linked together by some sort of private connection, which is usually by telephoneline using ISDN or T1. Microsofts encryption method of choice for this type of network iscalled IPSec (derived from IP security). IPSec provides transparent encryption betweenthe server and the client.

VPNs

We also looked at VPNs (virtual private networks). Many networks do not use a long-distance telephone connection to connect to a network and instead they use a VPN, wherethey will connect via Internet itself as a way to connect LANs both to individual systemsand to each other. The obvious danger with this is the complete exposure of all networkdata to the Internet. This has led to the development of encryption methods designed to

protect data moving between systems. A network employing encryption to use the Internetas if it were a private network is referred to as a VPN.

It is very easy to set up a VPN as is shown below. Go back to your Network and Dial upconnections window and again click on make a new connection, this time however selectthe option that allows you to set up a VPN (see screen shot below)

First double click the Make New Connection icon, as shown in Figure 52.



59/149


60/149


The screen shown in Figure 54 is displayed, asking you to specify the host name or IPaddress of your VPN server. You can type in the full domain name, for example,mydomain.com or IP address, for example, 192.168.0.1.

Figure 54 Specifying destination address



61/149


When you click Next, the screen shown in Figure 55 is displayed. This gives you thechoice of creating this connection for your user login only or for all users of the particularcomputer. Again, regarding security, you may want to think carefully about choosing all

users as it means everyone, including guest accounts will be able to access the VPN.

Figure 55Choosing connection availability

The wizard then prompts you to enter a name to be used with that connection, as shown inFigure 56. Make this something that is meaningful to your connection, for example,connection to main office.

Figure 56Creating a name for the connection



62/149


You are then prompted to enter the user name and password that will make theconnection to the VPN server, as shown in Figure 57. You may choose to also save thepassword. This is very convenient, but it may not always be the safest option, as an

authorised user may get into your PC and be able to make this connection without beingprompted for the user name or password.

Figure 57Providing user name and password details



63/149


64/149


Network configuration

Setting up a standard network configuration is not difficult. If you are connecting to an ISP

or to most corporate networks you only need to leave the default settings alone (obtain anIP address automatically and obtain a DNS service automatically, this assumes that aDHCP server will be running and that the DHCP server will give out DHCP, DNS, WINSinformation. You will also need to have a NetBIOS/hostname., which identifies yourcomputer on the network and will be used if NetBEUI is used in the network. It will also beused when users try and browse the network if you have a network share. WINS,remember, ties up the computers hostname with the current IP address.

Setting IP addresses to be obtained automatically using Windows 2000 (other operatingsystems will take a similar form).

From Start, select Programs Accessories Communications Network and Dial-upConnections and the screen shown in Figure 59 appears.

Figure 59 Network and dial-up connections



65/149


Click Local Area Connection and wait for the screen shown in Figure 60 to appear.

Figure 60Local area connection status

Now click Properties. The screen shown in Figure 61 is displayed. Click Internet Protocol(TCP/IP).

Figure 61 SelectingInternet Protocol (TCP/IP)



66/149


If you are logging onto a network that uses DHCP, which is likely to be the case, then yousimply leave the settings as Obtain an IP address automatically, and Obtain DNS serveraddress automatically, as shown in Figure 62. This will ensure that the DHCP allocates

the computer an IP address, subnet mask, DNS server, default gateway and, if configured,a WINS server. If you have been issued with a DHCP configured address, you can checkthis by clicking Start Run, typing CMD then pressing Enter. When the Command Promptwindow appears, type IPCONFIG /ALL. This shows information such as your current IPaddress, subnet mask, default gateway, WINS server, DHCP server and how long yourDHCP lease is for.

Figure 62Obtaining IP and DNS server addresses



67/149


68/149


Of course, if you are using a WINS server in your network, you must enter a static WINSserver address to the TCP/IP settings. To do this you must click the Advanced button tosee the dialogue box shown in Figure 64. To set the WINS server click the WINS tab. You

then must click the Add button.

Figure 64 Setting the WINS server

When you click Add, the dialogue box below appears (Figure 65). Type in the address ofyour WINS server and then click Add, as shown in Figure 65.

Figure 65Adding the address

You can now see that the WINS server has been added. You may add more than oneWINS server and set the order that the computer will search for these, as shown in Figure66.



69/149


Figure 66Adding more servers

To set the host name for your computer, right-click the My Computer icon on the desktopand click Properties. When the dialogue box appears, as shown in Figure 67, click theNetwork Identification tab and then click Properties.

Figure 67Setting host name



70/149


71/149


Summary of this section

Server operating systems

We looked at the basic capabilities of Unix/Linux, NetWare, Windows and Macintoshoperating systems.

Client workstations

We looked at the capabilities of client workstations with regard to connectivity, localsecurity and authentication.

VLANs

We learned about the benefits of VLANs.

Network-attached storage

We looked at the characteristics of NAS.

Fault tolerance and disaster recovery

We learned the purpose and characteristics of fault tolerance and RAID devices, their usesand differences. We also looked at disaster recovery and the importance of a gooddisaster recovery plan and backups.

Firewalls and proxy servers

We learned about the purpose, benefits and characteristics of using firewalls and proxyservers.

Security measures

We looked at the appropriate level of security for a given network and how this should beimplemented.

Network and remote access configurations

We learned how to configure a number of remote access connections and. Given anetwork configuration, we learned how to select the appropriate NIC and networkconfiguration settings (DHCP, DNS, WINS, protocols, NetBIOS/host name, etc.).



72/149


Answers to SAQs

SAQ 3.1

Unix

Unix is a multi-tasking, multi-user, text-based operating system that was created to run onvirtually any hardware platform. It is an operating system that was originally developed inBell Labs by programmers for programmers, which makes it rather complex to manage,but because it is powerful and stable, it is used in many different types of environmentssuch as hospitals, university and college campuses and many corporate networks. In atypical Unix network, computers with no hard drive and limited processing and memorycapability (known as dumb terminals) are connected to a centralised server which carriesout the processing based on commands issued from the dumb terminals. Think of it like

several monitors and keyboards to the same computer.

In more modern networks where Unix systems co-exist with other operating systems suchas Windows, network computers will connect to the Unix server via a terminal emulator(such as TELNET)

Linux

Linux is an open source operating system that is similar to Unix. Linux is commonly usedto act as an HTTP, FTP or mail server. It can also be used on PCs as well as servers, anda variety of user-friendly GUIs are available to make it easier to use.

The functionality, adaptability and robustness of LINUX, has made it the main alternative

for Unix and Microsoft operating systems. Computers with processing power as low as a386-based CPU can install and run a Linux system. The ongoing development of LINUX issupported by IBM, Hewlett-Packard and other large technology companies.

Microsoft Windows

Windows 2000 Professional is the preferred 32bit desktop environment, providing acombination of Windows 98 usability and Windows NT 4 reliability. New features includesupport for power management, plug and play and support for new file system features,including Encrypting File System (EFS).

Main Features of Windows 2000 are:

Support for the file systems FAT16, FAT32 and NTFS Increased uptime of the system and significantly fewer operating system crashes

requiring a reboot

The implementation of Windows Installer, which tracks applications installationsand recognises and replaces missing components



73/149


Protection of the memory of individual applications and processes to avoid a singleapplication bringing the system down

Encrypted file systems to protect sensitive data

Secure VPN supports tunnelling into a private LAN over the Internet

Personalised menus adapt to the way users work

The multilingual version allows switching of the user interface and Help language,based on logon

Includes broader support for high-speed networking devices, including native ATMand cable modems

Support for universal serial bus (USB) and IEEE 1394 for a greater range ofbandwidth devices

Novell NetWare

NetWare was developed by Novell in the early 1980s and is based on the Xerox NetworkSystem. It is a NOS (network operating system) that allows file and printer sharing andmail functionality using a client/server architecture. That is, clients log into the server anduse its resources while logged in.

NetWare used to be very popular as a network operating system, and can still be found inmany corporate networks today, but this has now been overtaken largely by the versatilityof the windows operating systems

Apple Macintosh

Mac OS X Server, is Apples NOS. It was introduced to rival Windows NT, NovellNetWare, and Linux operating systems. Mac OS X Server provides file and print sharing, aweb server, and multimedia content streaming services to Apple Macintosh-basednetworks. Mac OS X Server also introduces NetBoot and Macintosh ManagementServices, features designed to ease the administrative tasks involved with Macintoshnetworks and save network administrators time.

The first Macintosh NOS is a robust server that will fulfil the networking needs ofMacintosh web design shops, companies supporting Macintosh clients, and Macintoshworkgroups or labs.

SAQ 3.2

A VLAN segments a switched network, by allowing broadcasts to propagate with the VLANonly. This improves the speed of the network and also improves security, as a host onVLAN1 cannot communicate with a host on VLAN2 without the use of an intermediaterouter.



74/149


SAQ 3.3

1 Network attached storage.

2 Fault tolerance is a process by which a duplicate system or service runs alongside theexisting system or service so that, in the event of a failure, the duplicate can re-createthe system or service.

3 RAID 0 is also known as disk striping. Here data is striped across two or more disks.This improves speed but has no redundancy, so if one disk fails then all data has to berestored from a backup.

4 RAID 1 is also known as disk mirroring. Raid 1 usually uses two or more disks, itmirrors the data from one disk across to another disk. Thus if one disk fails the othercontains the same data and can be used to restore the data

5 RAID 5 is a stripe set with parity. This brings the benefits of speed increase of a stripeset, but contains redundancy information so that if one disk fails, the data can be

reproduced from the other disks and the redundancy information.

6 UPS stands for uninterruptible power supply. It is used to take over i

df9p34 network concepts adv without exam

Documents